Skillv1.0.2

ClawScan security

Wei Cross Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 5:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (orchestrate multiple LLMs and synthesize answers) but the package metadata, runtime instructions, and registry declarations contain inconsistencies (missing required env listing and 'instruction-only' claim despite many code files), so review and caution are advised before installing.
Guidance: What to consider before installing: 1) Metadata mismatch: The registry summary claims no required env vars and 'instruction-only', but SKILL.md and the code require Bun and an OPENROUTER_API_KEY (DASHSCOPE_API_KEY optional) and include runnable TypeScript. Treat the skill as code you will run, not a text-only recipe. 2) Secrets: The skill needs provider API keys. Only provide API keys you trust the provider with and consider using a dedicated account/key with limited billing/permissions. 3) Review clients: The repo contains clients for OpenRouter and Bailian (DashScope). If you are concerned about exfiltration or unexpected endpoints, read scripts/clients/* to confirm which API bases are called and whether any additional telemetry or unexpected endpoints are used. 4) Local files: The agent writes intermediate/ and reports/ files. If queries or model outputs contain sensitive data, these will be stored locally — remove or secure those directories if needed. 5) Run in isolation first: Execute in an isolated environment (VM/container) and inspect network traffic or logs during a test run if possible. Use test API keys and low-privilege accounts initially. 6) Deployment choice: If you do not want the skill to call many external models, edit config.json to remove/untrustworthy providers or reduce max_models before use. If you want, I can: (a) inspect the client files to list exact HTTP endpoints used and any headers/telemetry, (b) point out the lines that read env vars and write files, or (c) suggest a minimal-safe config.json that limits providers and logging.
Findings: [ignore-previous-instructions] expected: The string pattern 'ignore previous instructions' (and similar) appears in the code's sanitizeInput() as a defensive pattern to detect/purge prompt-injection attempts. The static scan flagged it as a prompt-injection indicator, but in this repo it is used to REDACT those patterns from user input (defensive), so the finding is expected given the skill's design.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (cross-validate research answers by querying multiple LLMs and using a judge) align with the code and SKILL.md: it needs provider API keys and a runtime (Bun) to call external LLM endpoints. However, the registry metadata at the top reports "Required env vars: none" and claims "No install spec — instruction-only" while the SKILL.md and repository include code files, a package.json, and explicit requirements (OPENROUTER_API_KEY required). That metadata vs. implementation mismatch is an incoherence the user should know about.
Instruction Scope: noteThe SKILL.md and the code limit actions to: reading config.json, loading prompt templates, calling configured model provider APIs, saving per-model intermediate responses and a report to local disk, and applying input sanitization. These actions are within the stated purpose (multi-model querying and judge synthesis). The skill does read config files and environment variables and writes reports/intermediate files locally — expected for this use case but worth noting if you consider local storage of sensitive queries/answers.
Install Mechanism: concernThe skill registry states "No install spec — instruction-only", but the package actually includes TypeScript code, package.json, and instructions that run 'bun install' and 'bun run scripts/index.ts'. There is no remote download of arbitrary archives, and dependencies are standard (axios, dotenv), but the mismatch between registry metadata and real install/runtime steps is an inconsistency that increases risk (users may expect no code to be executed).
Credentials: noteThe SKILL.md requires an OPENROUTER_API_KEY (required) and optionally DASHSCOPE_API_KEY (optional) which are proportional to its purpose (calling external model providers). However, the registry summary incorrectly reported no required env vars — a meaningful discrepancy. Because provider API keys can be used to consume billable resources or access account data, treat those keys as sensitive and limit their scope/permissions where possible.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated platform privileges. It writes outputs to local report and intermediate directories (reports/, intermediate/) but does not modify other skills' configs. Autonomous invocation is allowed by default (normal for skills) but not combined here with elevated persistence privileges.